Login Sign Up

CVE-2024-27920

7.4 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Nuclei v3 allows execution of unsigned code templates through workflows, potentially enabling attackers to run malicious code on systems using custom workflows. It affects users who utilize custom workflows in Nuclei v3 before version 3.2.0. The risk is highest for security teams running custom vulnerability scanning workflows.

💻 Affected Systems

Products:
  • projectdiscovery/nuclei
Versions: Nuclei v3 versions before 3.2.0
Operating Systems: All platforms where Nuclei runs (Linux, Windows, macOS)
Default Config Vulnerable: ✅ No
Notes: Only affects users who utilize custom workflows with unsigned code templates. Default installations without custom workflows are not vulnerable.

📦 What is this software?

Nuclei by Projectdiscovery

View all CVEs affecting Nuclei →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation or execution of arbitrary commands within the context of the Nuclei user, potentially leading to data theft or system manipulation.

🟢

If Mitigated

No impact when using only signed, verified templates from trusted sources or when workflows are disabled.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the attacker to craft a malicious workflow that the victim executes. The vulnerability is in template execution logic, not network-facing services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nuclei v3.2.0

Vendor Advisory: https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-w5wx-6g2r-r78q

Restart Required: No

Instructions:

1. Update Nuclei using: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
2. Verify installation with: nuclei -version
3. Ensure version shows 3.2.0 or higher

🔧 Temporary Workarounds

Disable custom workflows

all

Prevent execution of custom workflows entirely

nuclei -disable-workflows

Use only signed templates

all

Configure Nuclei to only execute signed, verified templates

nuclei -signature-check

🧯 If You Can't Patch

  • Immediately stop using custom workflows and disable workflow functionality
  • Only execute templates from trusted, verified sources and avoid downloading templates from untrusted repositories

🔍 How to Verify

Check if Vulnerable:

Check if using Nuclei v3 before 3.2.0 with custom workflows enabled

Check Version:

nuclei -version

Verify Fix Applied:

Run 'nuclei -version' and confirm version is 3.2.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unexpected code execution in Nuclei logs
  • Execution of unsigned templates in workflow logs

Network Indicators:

  • Unusual outbound connections from Nuclei process
  • Downloads from untrusted template repositories

SIEM Query:

process_name:nuclei AND (command_line:*workflow* OR command_line:*template*)

📊 Metadata

CVE ID: CVE-2024-27920
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-78
Published: March 15, 2024
Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27920, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)